[Taler] sync vs financial security

From:

Jeff Burdges

Subject:

[Taler] sync vs financial security

Date:

Fri, 23 Feb 2018 09:35:44 +0100

I'll split off a separate thread to discuss "theft by sync", which I
also felt got lost in the big synchronization thread.
A "theft by sync" occurs whenever an attacker enables synchronization so
that they can spends coins without the actual owners permission, usually
by gaining temporary physical access and/or tricking the owner. It's
oddly counter intuitive to normal users, which makes it problematic.
Again we have balance sync vs only backup and payment sync.
I pointed out previously that "theft by balance sync" is catastrophic to
real world wallet financial security, due to balance sync making it
undetectable.
If we abandon balance sync, then "theft by backup sync" can still occur.
We can however do device notifications on both double spending and on
coins being taken via balance override, including a prompt to "revoke"
the offending device. In principle this prevents the "slow drain"
attack of "theft by balance sync", which limits total damages.
An attacker may wait for the victim to hold a large balance to then make
a large purchase themselves of course, but police are more likely to
become involved as purchase value increases.
We might also help prevent "theft by sync" by requiring additional
authentication to link wallets:
Right now, there is no wallet password but almost all platforms offer a
keychain tied to reentering login credentials. There is nothing we can
do if the wallet runs in a context accessible by applications the
adversary might install, like on Linux. If otoh platforms provide
applications with some security then accessing the wallet's sync
configuration could require reentering the device password. I'm okay
assuming no zero-days here. This may require App Store signatures and
maybe violate GPL assurances.
We could achieve stronger assurances less tied to device contexts by
using a public key backup scheme in which the backing up device cannot
reread its own backups after submitting them. It does not protect
existing sync users unless we add a novel parallel forward secure
ratcheting scheme too.
At the extreme, if backup servers have a trust relationship with
exchanges, then we might augment this by backup servers requiring an
exchange's signature on a withdrawal records showing similar SEPA origin
details for both devices, so users could not link devices until they had
funded both devices from the same bank account. An adversary could
circumvent this by paying into the victims device, but leaves a trail
via SEPA.
tl;dr Authentication schemes to prevent "theft by sync" on "GNU Linux"
distributions require a fancy public key ratcheting scheme, but maybe
application separation suffices on devices like Android. And balance
sync makes "theft by sync" really nasty.
Jeff
p.s. In this vein, we should check if laws regulate opening joint bank
accounts, as linking Taler wallets may qualify.